What laws regulate cybersecurity in the European Union and in Spain?

The Internet and the consequent emergence of new technologies has led to the emergence of new forms of crimes and breaches of norms that we couldn’t have expected only a decade ago. Therefore, it has been necessary to adapt the different laws that exist, in order to regulate and protect citizens and companies from all these cyber attacks as much as possible. New rules and protocols to regulate those new situations, not foreseen until now in the offline world, have also been established.

In this guest post from Vanesa Alarcón, IT Lawyer and Founding Partner of Avatic Abogados, we will talk about the Spanish and European laws that are putting order in cyberspace, trying to put a stop to the new generations of cybercriminals.

This post is also available in Spanish.

What is cybersecurity?

Before talking about the rules that apply to cybersecurity in Spain and in the EU, first we must define what this word means. According to the dictionary from the National Initiative for Cybersecurity Careers and Studies (NICCS) in the United States, whose website is owned by the Department of Homeland Security, cybersecurity is “the activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation.”

That means, that cybersecurity comprises of those measures designed to protect users and companies that operate in the Internet. In reality, cybersecurity is part of a broader concept called information security, which aims to protect the digital information from systems that are interconnected.

There are other concepts related to cybersecurity, such as cybercrime, cyber threats or cyberspace, whose main and common feature lies in their existence in the network. Therefore:

• Cybercrime: Consists of all those criminal behaviors that are practised through the use of the internet.
  
• Cyber threats: The possibility to hurt people or organisms through the use of the Internet.
  
• Cyberspace: The simulated reality implemented within computers and digital networks that exist worldwide, being a concept much broader than the Internet.

In short, cybersecurity is intended to protect us against attacks or illegal actions of third parties in the Internet.

What could be considered as an illicit or illegal action?

An illicit action could be anything from an online scam, the introduction of a computer virus into the computers in a certain company, stealing account information and/or passwords from users on a certain platform, publish lies about someone or even impersonation or identity theft.

Therefore, cybersecurity covers many subjects related to criminal and civil law, and the protection of honor or privacy, among others, that are also applied in the real and physical world. What has to be taken into account is the online dimension in which these illicit or illegal actions are produced, and the resulting impact due to the fact of occurring in the digital world.

What rules would therefore regulate cybersecurity?

Cybersecurity is composed of a compendium of rules, since there is no single rule that regulates everything.

In the European Union

There is a recent European Directive, the Directive 2016/1148, related to the measures created to ensure a higher level of security in the EU’s information networks and systems.  

This Directive provides a couple of articles related with the security of networks and information systems for essential service operators and for digital service providers.

Thus, Article 14 states that “Member States shall ensure that operators of essential services take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk posed.”

That means that member states shall ensure that measures adequate or proportionate to the risk involved are fulfilled. They also must take measures to minimize, reduce or prevent incidences that affect security.

Likewise, member states should also notify without any delay to the appropriate authority or to the CSIRT (Computer Security Incident Response Teams) incidents that have a significant effect on the continuity of essential services that they provide, so that action can be taken, either institutionally or nationally, depending on the case.

Article 16 also establishes the member state’s duty for ensuring that digital service providers to identify and adopt proportionate technical and organizational security measures to manage the existing risks posed to the security of network and information systems that they use. To do so, they must adopt measures regarding the security of systems and installations, incident management, managing continued activities, supervision, audits, tests and complying with international standards.

In Spain

In Spain there is a Code for the Cybersecurity Law, published in the Official State Bulletin (BOE - Boletin Oficial del Estado), which states the main rules to be taken into account regarding the protection of  cyberspace and to ensure the aforementioned cybersecurity.

This code references the following laws, among others:

• National Security Regulations:

• Law 36/2015, of September 28 on National Security, which regulates the key principles and agencies, as well as the functions they must perform, for the defense of the National Security.
• Order TIN/3016/2011, of October 28, which established the Security on Information and Communication Technologies Committee of the Ministry of Labor and Immigration.
• Security regulations:
• Organic Law 4/2015, of March 30, on the protection of public safety.
• Law 5/2014, of April 4, on Private Security.
• In relation to security incidents, there is a whole network related to the Armed Forces, but there is also a partial inclusion in the Law 34/2002, of July 1, on services to the society of information and electronic commerce.
• Regarding telecommunications, the following rules exist:
• Law 34/2002, of July 11, on services to the information society and e-commerce (cited above).
• Royal Decree 381/2015, of May 14, which establishes measures against illegal or irregular traffic which has fraudulent purposes in electronic communications.
• Law 50/2003, of December 19, on the electronic signature.
• Law 9/2014, of May 9, general telecommunications.
• Law 25/2007, of October 18, on the retention of data related to electronic communications and public communication networks.
• Related to cybercrime, we find partial inclusions in the Criminal Code, the Organic Law  5/2000, of January 12, which regulates the criminal responsibility of minors; or in the Royal Decree approving the Criminal Procedure Law.
• Also applicable is the regulation on the protection of data,  developed by the Organic Law 15/1999, of December 13 and its regulations, approved by the Royal Decree 1720/2007 of December 21.

As you can see, there is a very complex network that aims to regulate many different situations that can happen on the Internet.

Other laws that regulate cybersecurity at a technical and organizational level

Regarding cybersecurity at a technical and organizational level, it is also necessary to take into account the new European Data Protection Regulation - Regulation (EU) 2016/679; as well as the existence of other types of international protocols or rules, especially those related to the international transfer of data, such as the Privacy Shield.

These are just some of the rules that aim to protect cyberspace, but there are many more detailed ones that regulate even more specific aspects.

For example, the rules that must be taken into account when committing a criminal act related to impersonating a brand or company, the unlawful use of it or the infringement of creations from authors protected by intellectual property. In these cases, in addition to the rules that appear in the Spanish code mentioned before, it is also necessary to take into account the trademark law or the regulations on intellectual and industrial property, as it corresponds.

Cybersecurity can therefore be broken not only by the commission or omission of certain acts that have to do with security in itself, but sometimes the right of a third party can also be affected by taking advantage of acts that go specifically against the security of a network.

This post is also available in Spanish.

RELATED POSTS

• How can SMEs secure their business against cybercrime?
• 10 essential steps to develop a cyber security plan for your company.